IETF Logo Mail Archive

Re: [tram] Transport of ICMP errors in TURN

"Cullen Jennings (fluffy)" <fluffy@cisco.com> Thu, 27 August 2015 14:33 UTC

Return-Path: <fluffy@cisco.com>
X-Original-To: tram@ietfa.amsl.com
Delivered-To: tram@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CB1811A000A for <tram@ietfa.amsl.com>; Thu, 27 Aug 2015 07:33:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -114.511
X-Spam-Level:
X-Spam-Status: No, score=-114.511 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_WHITELIST=-100] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id owpmoUZSApkj for <tram@ietfa.amsl.com>; Thu, 27 Aug 2015 07:33:50 -0700 (PDT)
Received: from rcdn-iport-7.cisco.com (rcdn-iport-7.cisco.com [173.37.86.78]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2BC031A89A8 for <tram@ietf.org>; Thu, 27 Aug 2015 07:33:50 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=1334; q=dns/txt; s=iport; t=1440686030; x=1441895630; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-id:content-transfer-encoding: mime-version; bh=NA5jqhS36eU3hfRKx9xTt2uU/Pgp9wgUgl83P0DpA5g=; b=LbONrVY6MhighIOJLaexjIsPVWS6ewoprBWmiWf0obqA7L1bHe7lVm0s 44kw5FMpFi5XxINLlyACd50alrd6crlRKb8vyKKits2Ni/YHRagqgYdAQ 2AXz+2kHShWI0pAFuw3A+8BVarzA33AtqvhNEy4LfEtHp2a/Hn7cfVJL6 o=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0BdBQDFHt9V/5JdJa1dgxuBPQbFbgKBLzsRAQEBAQEBAYEKhCMBAQEDAXkFCwIBCA4KLjIlAgQOBYgmCMhKAQEBAQEBAQEBAQEBAQEBAQEBAQEYiHiCaYQyDhgzB4MYgRQBBJU9AYxymmAmg39xgQUHPIEFAQEB
X-IronPort-AV: E=Sophos;i="5.17,422,1437436800"; d="scan'208";a="22171339"
Received: from rcdn-core-10.cisco.com ([173.37.93.146]) by rcdn-iport-7.cisco.com with ESMTP; 27 Aug 2015 14:33:49 +0000
Received: from XCH-ALN-019.cisco.com (xch-aln-019.cisco.com [173.36.7.29]) by rcdn-core-10.cisco.com (8.14.5/8.14.5) with ESMTP id t7REXnD7014023 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Thu, 27 Aug 2015 14:33:49 GMT
Received: from xch-aln-019.cisco.com (173.36.7.29) by XCH-ALN-019.cisco.com (173.36.7.29) with Microsoft SMTP Server (TLS) id 15.0.1104.5; Thu, 27 Aug 2015 09:33:48 -0500
Received: from xhc-rcd-x12.cisco.com (173.37.183.86) by xch-aln-019.cisco.com (173.36.7.29) with Microsoft SMTP Server (TLS) id 15.0.1104.5 via Frontend Transport; Thu, 27 Aug 2015 09:33:48 -0500
Received: from xmb-aln-x02.cisco.com ([169.254.5.3]) by xhc-rcd-x12.cisco.com ([173.37.183.86]) with mapi id 14.03.0248.002; Thu, 27 Aug 2015 09:33:47 -0500
From: "Cullen Jennings (fluffy)" <fluffy@cisco.com>
To: Simon Perreault <sperreault@jive.com>
Thread-Topic: [tram] Transport of ICMP errors in TURN
Thread-Index: AQHQ3+oWETbZM/WfLU6J25V188icC54eib2AgAFwyYCAAB8ggIAAGLcAgAAJa4CAAAL3gA==
Date: Thu, 27 Aug 2015 14:33:47 +0000
Message-ID: <72AD57D8-AF37-4F06-9A3C-848C53B4640D@cisco.com>
References: <55DD94FF.7080400@acm.org> <55DDB133.6090608@jive.com> <A8F8D0A4-C847-4F3E-B5A3-45DA47CB95D9@cisco.com> <913383AAA69FF945B8F946018B75898A478C7C70@xmb-rcd-x10.cisco.com> <44C024B4-CAC6-4E3A-A812-793809449E10@cisco.com> <55DF1D4D.7010000@jive.com>
In-Reply-To: <55DF1D4D.7010000@jive.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [173.37.102.19]
Content-Type: text/plain; charset="Windows-1252"
Content-ID: <4AA27CDC86B3534993DD6899602CBED1@emea.cisco.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <http://mailarchive.ietf.org/arch/msg/tram/nUn4TY_8RLswPD7gqbYblQpZ6R0>
Cc: Marc Petit-Huguenin <petithug@acm.org>, "Pal Martinsen (palmarti)" <palmarti@cisco.com>, "tram@ietf.org" <tram@ietf.org>, "Tirumaleswar Reddy (tireddy)" <tireddy@cisco.com>
Subject: Re: [tram] Transport of ICMP errors in TURN
X-BeenThere: tram@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Discussing the creation of a Turn Revised And Modernized \(TRAM\) WG, which goal is to consolidate the various initiatives to update TURN and STUN." <tram.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tram>, <mailto:tram-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tram/>
List-Post: <mailto:tram@ietf.org>
List-Help: <mailto:tram-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tram>, <mailto:tram-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 27 Aug 2015 14:33:52 -0000

> On Aug 27, 2015, at 8:23 AM, Simon Perreault <sperreault@jive.com> wrote:
> 
> Le 2015-08-27 09:49, Cullen Jennings (fluffy) a écrit :
>> 
>> A key part of TURN design was that it was not usable for running
>> general purpose server that accepted traffic from anyone without
>> first identifying who it is that you want to get the traffic from. So
>> the client has to tell the TURN server which external hosts can send
>> it traffic.
>> 
>> Receiving ICMP violates this because you would need to accept stuff
>> from sources you had not given permission to send you stuff. That
>> allows TURN to be used to build generic servers which allows it to
>> circumvent firewall policy. One of the reasons we invented TURN
>> instead of using one of the other tunnel protocols was to not have
>> this problem.
> 
> Good point.
> 
> That is easily solved by having the TURN server enforce permissions on
> the 5-tuple of the ICMP error's encapsulated original packet. Exactly
> the same way stateful firewalls do it.
> 
> Simon

Yep, with that change it would be OK.

I find that many networks block ICMP for one reason or another thus one can not count on it working most of the time so it has really limited value for applications as they end up using a method that works all the time.

v2.23.0 | Report a Bug | By Email